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November 1997 / Core Technologies / Biiilding th^ VirtiB^i VT 

A software emulator shows that the PowerPC can 
emulate another computer, down to its very hard} 

Eric Trout 

Development of Virtual PC - Connectix Corporation's Macintosh applicatl( 
emulates a PC and its peripherals — began almost two years ago, in October 
The goal from the beginning was to create a fully Intel-compatible PC in so: 
The effort centered around a core Pentium instruction-set emulator, complel 
MMX instructions. True PC emulation also required the reverse-engineerinj 
development of a dozen other PC motherboard devices, including modem 
peripherals such as an accelerated SVGA card, an Ethernet controller, a Sou 
Blaster Pro sound card, IDE/ATAPI controller, and PCI bridge interface. Tl 
strategy of hardware-level emulation resulted in an application that allows 
Macintosh users to run not only Windows programs and DOS games but sc 
x86-based OSes, including Windows 95, NT, and NeXT OpenStep. 

Pentium Emulation 

The heart of Virtual PC is the Pentium recompiling emulator, a sophisticate! 
of software written entirely in hand-coded PowerPC assembly language. Its 
translate Pentium instruction sequences into a set of optimized PowerPC 
instructions that perform the same operation. Translation occurs on a *'basic 
basis, where a basic block consists of a sequence of decoded x86 instructioc 
blocks end on an instruction that abruptly changes the flow of execution (tyj 
jump, call, or retum-from-subroutine instruction). As the recompiler decode 
instructions, it analyzes them for "condition code" u sage. Finally, it general 
block of PowerPC code that accomplishes the same task. For more details o 
process, see "Virtoal PC Operation" . 

For purposes of speeding things up, the emulator employs the following trie 

Translation cache: Even though, written in PowerPC assembly language, tl^ 
translator still requires substantial time to generate optimized instruction 
translations. To reduce this oveifaead, the emulator caches blocks of translat 
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Interinstruction optimization: Because the Pentium is a CISC processor, i 
instructions perform more than one operation. For example, the ADD instru 
not only adds two values together, it also produces a number of condition- c 
flags that tell programs whether the addition produced a zero or negative rei 
Such codes are used, for example, to determine if a program performs a con 
jump. Most of the time these codes are ignored. The translator analyzes blo< 
x86 instructions to dete rmine which flags the program uses (if any). It then 
generates PowerPC code for those flags actually used. The first two listings 
"Translated Code'' show how one Pentium instruction translates into three 
PowerPC instructions, while three Pentium instructions can be optimized fn 
into five PowerPC instructions. 

Address translation: One of the most difficult Pentium features to emulate 
built-in memory management unit (MMU). This hardware translates linear { 
logical) addresses into physical memory addresses. Operating systems use tl 
MMU to implement virtual memory and memory protection. Because of the 
Pentium's small register file, about three in four Pentium instructions referei 
memory in one way or another. Each memory address potentially needs to t 
translated before the emulator loads from, or stores to, the referenced addrei 
MMU implemented in software would impose a high overhead, which woul 
degrade performance. Luckily, this overhead can be avoi ded: The Connecti 
engineers were able to program the PowerPCs MMU to mimic the Pentium 
MMU's behavior, thus managing the address translations in hardware. The 
Pentium's memory page attributes can also be mirrored in the PowerPCs M 
For example, if Virtual PC's emulated OS marks a memory page as write-pr 
the page mappings are modified so the corresponding PowerPC page is writ 
protected. 

Segment bounds checking: The Pentium architecture includes the archaic i 
of memory segments. Every memory reference, such as instruction fetches, 
operations, loads, and stores, has an associated memory segment. When a 
segment's bounds are exceeded, the Pentium's MMU generates a general pn 
fault (GPF). The OS uses GPFs for more than detecting bugs in applications 
enable a program to "thunk" down into privileged driver-level code not accc 
at the application level. Therefore, the Pentium emulator must detect segme 
bound faults where appropriate. Although the PowerPC does not contain 
segmentation hardware akin to the Pentium, Connectix used PowerPC trap 
instmctions to perform segment bounds checks with little or no overhead. 

Hardware Emulation 

Besides the Pentium processor, a typical PC motherboard contains a dozen < 
chips that work together concunendy. All these chips need to be emulated 
faithfully for compatibility. The Intel architecture provides an I/O address sj 
that's used to access hardware outside of the CPU. You work with this "I/O 
through two instructions — in and out. When using these instructions, softv 
must specify an I/O port (or address). Virtual PC routes I/O accesses to codt 
modules that emulate each chip. For example, if Virtual PC encounters an D 
instruction referencing port 0x21, it calls a routine in the intemipt-controllej 
emulation module that returns the current interrupt mask. Similar module ca 
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occur for every I/O space access, as the third listing in "Translated Code" sti 

Many of the extra chips on a PC motherboard control I/O devices such as th 
drive, CD-ROM, keyboard, and mouse. For compatibility with the Mac OS 
Macintosh hardware. Virtual PC performs all I/O through the standard Mac 
drivers. So, a request sent to the emulated PCs IDE controUer to read a sect 
the hard drive gets translated into a read operation that's sent to the Mac OS 
driver. 

The most difficult hardware components to emulate involve precise timing, 
example, sound is a real-time operation, and any timing perturbation results 
clicks or pops as digitally sampled data fails to arrive on time. Because Virt 
is hosted on the Mac OS (which gives time to other Mac programs running 
concurrently, as well as Virtual PC), and it needs to emulate several dozen I 
chips in parallel, precise timing isn't always possible. Virtual PC compensat 
placing the highest priority on tasks that directly affect the user, such as sou 
video. 

Performa nee 

Emulated systems are naturally going to be slower than real hardware. But 
Connectix engineers concentrated on tuning aspects of the emulated hardwa 
required to run popular PC games and productivity applications at a usable 
performance level. This was especially challenging given that the PowerPC 
processor emulates not only the Pentium but all the other chips on a PC 
motherboard. 

Performance of Virmal PC is also greatiy affected by the host hardware sysl 
The latest PowerPC processors with high clock rates and large on-chip each 
run it best. The speed and size of the system's L2 cache is also critical becat 
the code expansion that occurs during the translation process. 

While users will take a performance hit because this is an emulator. Virtual 
successfully emulates the entire PC at a very low level. PC programs — 
applications, device drivers, and operating systems alike — cannot tell they i 
running on actual PC hardware. 



Translate d Code 



Translation of Single Pentium Instruction 



Pentium instruction 



PowerPC instructions 



ADD EAX,20 



li 

addco . 



rTempl, 20 
PF, rTempl, rE? 
rEAX,rPF 



mr 



Translation o£ Pentium Instruction Block 



file://C:\Work\Patents\Applications%20Pending\P5943CVDeclaration%201.132% 10/11/2004 

PAGE 18/39 * RCVD AT 10/11/2004 11:14:03 PM (Eastern Oaytlght Time] * 8VR:U8PTO-EFXRF-1/0 * ON]8:872g306 ' C8ID:408 653 7637 * DURATION (mm-ss):1S-18 



408 653 7637 intel corp. 

BYTE.cora 



08:22:10 p.m. 10-11-2004 11 

Page 4 of 4 



Pentium instructions 



PowerPC instructions 



ADD EAX,20 
ADD EBX,30 
ADD ECX,40 



add 
add 

li 

addco . 
mr 



rEAX,rEAX,20 
rEBX, rEBX, 3 0 
r Tempi, 40 
rPF,rTempl,ri 
rBCX, rPP 



Code Translation for Pentium I/O Instructions 

Pentium instructions PowerPC instructions 



MOV AL,8 
MOV DX,0xlF0 
OUT DX,AL 
AD 

D DX,7 
IN AL,DX 
RET 



li 
li 
bl 

addi 
bl 

addi 
b 



rAL, 8 

rDX,OxlP0 

HandlelDEPort 

rDX,rDX,7 

HandlelDEPort 

rIP,rIP,8 

DispatchToNe> 



Virtual PC Operation 



illp$trmiQn link (24 Kbyfes) 



wm 



Eric Trout ( maUt o: traut@connectix.com ) is lead engineer for Virtual PC at Con 
Apple Computer, he wrote the 680x0 dynamic recompiling emulator for PowerPi 
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